Author
Topic: 18.7 unbound with dnscrypt (Read 677 times)

There are several guides here in the forum and in the web dealing with the problem how to use dnscrypt with unbound. Most of them do not work because they are describing it for an old version of dnscrypt-proxy. I have created an guide working with OPNsense 18.7 and dnscrypt-proxy2 available via pkg. For those who are interested in it, I attached it to this post. If the OPNsense gurus find it worth to be added to the wiki, feel free to do it.

That looks like it's going to be a great guide. Thanks for taking the time! Unfortunately most of the text boxes are blank (with command line output), though the images all seem to have embedded fine. Can you take another look and re-upload? I'm interested in reading it as I rely on forwarding to DNS over TLS atm, which isn't ideal using Unbound. As you probably know, Unbound can't reuse TLS connections and has to make new ones for every query, slowing down DNS resolution. Using dnscrypt-proxy would fix this nicely.

Hello Rainmaker,I reviewed the pdf file and found the texboxes are not empty but the scrollbars are missing so you see only the content that fits into the frame size. I would attach the original Open-/Libreoffice document. Unfortunately it does not fit into the 256 kB limit for attachments. I will put it onto Google drive for some limited time. https://drive.google.com/file/d/1dRj8VpfZdSHDAhrNBOZWD6YGNZzYO9MH/view?usp=sharing The view in the web browser will not show it correctly, you need to download it and open it from local.

i opened the link and downloaded the file but still, there are some pictures left not showing at all, no matter how i try to open it.

One question about the technical setup:i am pretty new to dnscrypt. Am i correct to say that dnscrypt-proxy is "collecting" all DNS traffic like a proxy for the LANs asking the Firewall on port 5353 and then forwarding the queries via the standard port 53 to the servers configured in the config file? How is dnscrypt achieving encryption to the DNS servers configured in this case? Is local Traffic to the Firewall Unbound encrypted as well? Just curious but did you test that your traffic is now really encrypted or did you just "guessed" it to work?

I double checked on my Windows system with Openoffice 3.4.1 and Libreoffice 6.1.2 and also on another PC with Arch Linux and Libreoffice 6.1.2. but eveything looked ok. However I recreated that document and put it in a zip file. Here is the download link https://drive.google.com/file/d/1gOVckOv7ytuTk2aoUV1dtz3loWIq58xA/view?usp=sharing I retested with downloading it from Google Drive on both the Windows and the Linux PC and still all looked ok.

The setup is not exactly working like you assume. dnscrypt-proxy is set to listen only on the localhost addresses 127.0.0.1 (IPv4) and ::1 (IPv6) on port 5353. The unbound dns client is setup to forward all queries to these addresses/port while itself is listening on port 53 on all interfaces. So the flow for a dns query from a client in the lan is client->unbound(port53 on lan interface on opnsense)->dnscrypt-proxy(port 5353 on localhost address on pfsense)->dnscrypt DNS server(port 443) in internet via wan interface on opnsense. The reply from the DNS server in the internet will then returned back to client following this flow in the opposite dircetion. DNS server->dnscrypt-proxy->unbound->client.The reason behind that scenario is unbound can act as an dns resolver for your local network. If you allow to register dhcp leases of your clients in the unbound dns resolver you can reach them via their hostnames and do not need to know their IP addresses. This is something dnscrypt-proxy cannot do. The need for dnscrypt-proxy is only because unbound (and also dnsmasq) currently has only limited support for dnscrypt and the freebsd version is build without it. In future versions when unbound fully supports dnscrypt, doh (DNS over https) and dot (dns over TLS) there no longer need for a proxy like dnscrypt. If you want your client send the queries directly to dnscrypt-proxy, yes this is also possible but needs a lot of other manual setups because most of it is not supported via the opnsense GUI.For details how dnscrypt works you should read https://dnscrypt.info/protocol/. It describes very well how the communication between dnscrypt clients/servers works.How dnscrypt-proxy is getting a list of dnscrypt servers is defined in the [sources] section of the config script.

## Another example source, with resolvers censoring some websites not appropriate for children ## This is a subset of the `public-resolvers` list, so enabling both is useless

# [sources.'parental-control'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'] # cache_file = 'parental-control.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'The dns traffic on the lan side is not encrypted because unbound currently does not support this. And you should keep in mind even when unbound supports an encryption like DNS over TLS your clients in the lan must support it too or you would have to setup it for both unencrypted and encrypted dns queries. When you think about all your devices connecting to your network like smartphones, smart TV, PC, macs, nas, WiFi routers and other smart home devices I'm in doubt that all of them ever will support encrypted dns.I did exhaustive tests to make sure all outgoing dns queries were routed through dnscrypt-proxy. I set it up to log all queries so I could see that indeed all dns queries for servers outside my network were routed through dnscrypt-proxy and finally I took and packet capture on the wan interface and checked there if all dns queries were encrypted.I would never had provide that guide whithout being sure that it works.

thank you so so much for your detailed answer, that fully explained everything what i had in mind.For the clients it's probably easier (for now) to route traffic via VPN to the firewall, if it's really that important to encrypt all traffic inside the LAN. Lovely feature. I hope it will get some more support for an "official" BSD/OPNsense release via GUI. That would be cool.

About the doc file.. i will try different OS and networks as well, maybe it's just my PC acting weird, since some pictures are there and others are not.

Just to let you know I followed the guide and this works perfectly. Thanks! My one bugbear about unbound is the fact it can't reuse TLS sessions if you enable DoT, making lookups slower. Now I have speedy lookups without losing the encryption. Perfect! Just a couple of little pointers for v2 of the guide (if you ever release it):

1) You missed the first forward slash off the paths, eg 'etc/rc.conf' instead of '/etc/rc.conf'. 2) The command to enable dnscrypt-proxy was given as 'sudo service dnscrypt-proxy enable' but should have been 'sudo service dnscrypt-proxy enabled' (note the 'd' on the end).

Hello, @mimugmailyes, you can use dnscrypt-proxy also for blacklisting and this needs to be configured. However I never dealed with it because my intention was and is to keep that at unbound or dnsmasq. I want to have dnscrypt-proxy as a simple forwarding proxy only. If the blacklist filtering is done at unbound or dnsmasq, queries for blacklisted domains will never go to dnscrypt-proxy and so there is no need for DNSBL in dnscrypt-proxy. All configuration is done in usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml. If you want to use blacklisting in dnscrypt-proxy please look into referring sections of this file. You can also have dnscrypt-proxy as a standalone solution for dns resolving but this requires a lot of config not only in dnscrypt-proxy (i.e. no other service must listening on port 53, registering dhcp leases and so on).

@rainmakerfixed the typos you mentioned and uploaded the new version. I also removed the link to the old version. Now only the last link will work. It contains both, my first and the very last version.

I am having some issues with my configuration and not sure how to resolve it. Particularly, my unbound config and dnsleak tests are returning Cloudflare dns servers when I am actually connected to another country via OpenVPN client.

I am happy to share anything related to my config to help anyone willing to chime in.